Skip to main content

🗂️PortSwigger Lab Writeup: File Path Traversal - Simple Case

PortSwigger lab description page for Path Traversal – Simple Case

🎯 Objective

The objective of this lab is to exploit a simple case of path traversal vulnerability in a web application to retrieve the contents of the sensitive file /etc/passwd.

💉 Payloads Used

  • Used as a value for the filename parameter - ✅
../../../../etc/passwd

🧪 Exploitation Steps

🕵️Step 1: Observe the Website

  • Firstly open the lab URL in your browser, and observe what it is about and how it works. Path Traversal lab instance showing vulnerable shopping site
  • At first glance, the website seems to be a shopping website with very unique and unrelated products. In the lab description, it is mentioned that the vulnerability is in the display of product images.

🔍Step 2: Find the Vulnerable Endpoint

  • Open the network tab of Developer Tools to see what resources the website loads. Developer tools showing image requests in the network tab
  • The site dynamically loads product images by requesting /image?filename=..., as seen in the network tab.
  • You can also verify this by looking at the source code of website. HTML source code referencing the image loading endpoint
  • This could be the vulnerable endpoint as it shows the path traversal patterns

🧰Step 3: Capture Requests in BurpSuite

  • Start the BurpSuite and reload the website to capture requests.
  • By default, BurpSuite hides the image requests in HTTP History, so first enable the images request filter. BurpSuite HTTP history filter
  • After enabling images filter, you would see all the requests you saw in network activity tab of developer tools. Captured image requests in BurpSuite

🚀Step 4: Send the Payload

  • Based on our initial observations, the /image?filename=... endpoint appears to be the most likely vulnerable endpoint.
  • For testing, firstly send any image request to Repeater tab. Sending image request to Repeater Tab in BurpSuite
  • Put the most common payload - ../../../../etc/passwd in ?filename= parameter and send the request. Server response showing contents of /etc/passwd file
  • And💥Booom!, We got the contents of /etc/passwd file.
  • And Finally, the Lab is solved. Solved confirmation message for PortSwigger lab

🧠 Conclusion

  • This lab involves a very basic or simple case of path traversal vulnerability, where the filename parameter is used to load product images from server without proper sanitization or filtering.
  • Without proper checks in place an attacker can traverse the filesystem and access unintended files.
  • By injecting ../ sequences, we traversed out of the intended /image directory and accessed the sensitive file /etc/passwd due to improper path validation.
  • This type of vulnerability is still common in legacy or poorly validated applications.